Skip to main content
Question

Single Sign-on Extensions Ipad

  • November 13, 2025
  • 1 reply
  • 46 views
tdenton
Forum|alt.badge.img+12

Hello

In the process of testing single sign on extension for managed Ipads, I have deployed the Authenticator app and the single sign on profile with following plist.

SSO is working great on all apps except outlook, I think it has something to do with how Outlook use SSO/ auth method it uses.
 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <!-- Existing Keys -->
    <key>AppPrefixAllowList</key>
    <string>com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.</string>
    <key>browser_sso_interaction_enabled</key>
    <integer>1</integer>
    <key>disable_explicit_app_prompt</key>
    <integer>0</integer>

    <!-- Managed App Config for Intune -->
    <key>IntuneMAMUPN</key>
    <string>$EMAIL</string>

    <!-- Required for Microsoft Enterprise SSO -->
    <key>ExtensionIdentifier</key>
    <string>com.apple.extensiblesso</string>
    <key>TeamIdentifier</key>
    <string>UBF8T346G9</string>
    <key>URLs</key>
    <array>
        <string>https://login.microsoftonline.com</string>
        <string>https://login.windows.net</string>
    </array>

    <!-- App Identifiers for SSO -->
    <key>AppIdentifierAllowList</key>
    <array>
        <string>com.microsoft.Outlook</string>
        <string>com.microsoft.Office.Word</string>
        <string>com.microsoft.Office.Excel</string>
        <string>com.microsoft.Office.Powerpoint</string>
        <string>com.microsoft.teams</string>
        <string>com.microsoft.Authenticator</string>
    </array>
</dict>
</plist>

 

 I have also pushed out some app config for Outlook but that doesnt seem to help either. 
 

<dict>
    <key>com.microsoft.outlook.EmailProfile.AccountType</key>
    <string>ModernAuth</string>
    <key>com.microsoft.outlook.EmailProfile.EmailAddress</key>
    <string>{{}}\{\{ email{{}}\}\} </string>
    <key>com.microsoft.outlook.EmailProfile.ServerHostName</key>
    <string>outlook.office365.com</string>
    <key>com.microsoft.outlook.EmailProfile.UserName</key>
    <string>{{}}\{\{ email{{}}\}\} </string>
</dict>



As anyone else come across this, currrent Im been prompted for a password when setting up outlook which should happen.





Thanks
Tom

    1 reply

    h1431532403240
    Forum|alt.badge.img+6

    Hi Tom,

    This is a common issue that many admins encounter when configuring the Microsoft Enterprise SSO Extension for iPads with Outlook. The behavior you're seeing - SSO working for most apps but Outlook still prompting for a password - is typically related to how Outlook uses MSAL (Microsoft Authentication Library) for authentication.

    Troubleshooting Steps:

    1. Verify Microsoft Authenticator is properly deployed
      • The Microsoft Authenticator app must be installed on the device (not just the configuration profile). Ensure it's deployed via VPP/Apple Business Manager as a device-licensed app.
      • Users don't need to configure Authenticator, but it must be present on the device.
    2. Update your SSO Extension configuration Your current plist has some configuration issues. Try this updated version:
       <?xml version="1.0" encoding="UTF-8"?>
       <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
       <plist version="1.0">
       <dict>
           <key>AppPrefixAllowList</key>
           <string>com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.</string>
           <key>browser_sso_interaction_enabled</key>
           <integer>1</integer>
           <key>disable_explicit_app_prompt</key>
           <integer>1</integer>
           <key>disable_explicit_app_prompt_and_autologin</key>
           <integer>1</integer>
       </dict>
       </plist>

    Key changes:

    • Remove ExtensionIdentifierTeamIdentifierURLs, and AppIdentifierAllowList from the custom plist - these should be configured in the SSO Extension payload itself in Jamf Pro, not in the additional configuration
    • Added disable_explicit_app_prompt_and_autologin which helps prevent apps from bypassing SSO at the protocol layer
    1. Configure SSO Extension in Jamf Pro correctly In your Configuration Profile under Single Sign-On Extensions:
      • Extension Identifier: com.microsoft.azureauthenticator.ssoextension
      • Team Identifier: UBF8T346G9
      • Sign-On Type: Redirect
      • URLs should include:
        • https://login.microsoftonline.com
        • https://login.microsoft.com
        • https://sts.windows.net
        • https://login.partner.microsoftonline.cn
        • https://login.chinacloudapi.cn
        • https://login.microsoftonline.de
        • https://login.microsoftonline.us
        • https://login.usgovcloudapi.net
    2. Update your Outlook App Configuration Your App Config variables syntax appears incorrect. Try:
       <dict>
           <key>com.microsoft.outlook.EmailProfile.AccountType</key>
           <string>ModernAuth</string>
           <key>com.microsoft.outlook.EmailProfile.EmailAddress</key>
           <string>{{email}}</string>
           <key>IntuneMAMUPN</key>
           <string>{{userprincipalname}}</string>
       </dict>
    1. Check first-time login flow With the SSO Extension, users typically need to complete an initial authentication through the Authenticator app. After that first login, subsequent logins should use SSO. This is expected behavior - the SSO Extension needs to acquire a Primary Refresh Token (PRT) initially.
    2. Verify network requirements Ensure the following URLs are allowed and not subject to TLS inspection:
      • https://device.login.microsoftonline.com
      • https://enterpriseregistration.windows.net

    Reference Documentation:

    Let me know if the issue persists after trying these adjustments!

    Terms & ConditionsCookie settingsAccessibility statement